The following text was provided by the vendor during testing
to describe how the product implements the specific capabilities.

SCAP

The SCAP standard defines the use of a number of
standardized data formats that together provide information technology and
configuration control assessment capabilities on target platforms. The
standard uses these data formats together as a system that allows for
standardized benchmarks or checklists of security configuration
requirements. First, the XCCDF data specification represents security
checklists or benchmarks in a format that is well-structured and machine
readable. The OVAL data specification provides details or tests to assess
the items required within the XCCDF format. Using these two XML data formats,
the Shavlik NetChk SCAP Processor digests an XCCDF file and creates a policy
usable within the Shavlik NetChk Configure product and, when required by the
benchmark, a patch list usable for scanning by Shavlik NetChk Protect that are
based on a selected benchmark from within the XCCDF file.

At a more detailed level, the NetChk SCAP Processor uses the
CCE identifiers found in the XCCDF benchmarks as a mapping to existing
compliance checks within NetChk Configure which can be assessed or
enforced. In addition, other CCE items included in benchmarks required
within the SCAP data feeds can be assessed or remediated using one or more
custom checks built to the requirements of the individual CCE item.
Generally, the built-in checks use the XCCDF content for configuration into the
policy file and the OVAL file provides additional details needed for these
checks; the custom checks typically require further configuration details
needed in OVAL files associated with the XCCDF file. The NetChk SCAP
Processor also uses the OVAL patch data, combined with a Shavlik patch mapping,
associated with the XCCDF benchmarks, when defined, to construct a patch list
for use by NetChk Protect.

Using this combination of built-in and custom checks in
NetChk Configure, the full range of CCE items in an SCAP data feed (XCCDF
benchmark) can be assessed or remediated on a target scan. Further, when
defined, NetChk Protect provides scanning for OVAL-defined
vulnerabilities/patches that can be assessed or remediated on a target scan.
The NetChk SCAP Processor then uses the reported results from the NetChk
Configure and NetChk Protect target scan to provide in- or out- of compliance
results reported against each CCE item or OVAL vulnerability/patch item
associated with the SCAP benchmark. CVE results are available within the
NetChk SCAP Processor for patch assessment. CVSS, the risk scoring
system, is available with the use of the web-based calculator to determine
scoring of CCE or CVE items. The final SCAP data standard is the CPE
format or platform-based, which provides a common naming scheme used in the
output results to identify specific technology platforms assessed within the
entire SCAP process against the XCCDF benchmark.

CVE

The CVE data specification provides a commonly understood identifier
for specific software flaws/vulnerabilities on various technology platforms
(e.g., Windows XP or Internet Explorer). The Shavlik NetChk Configure
SCAP Edition is the commercial off-the-shelf version of NetChk Configure plus a
licensable module called the Shavlik NetChk SCAP Processor. The NetChk SCAP
Processor uses the OVAL patch definitions associated with an SCAP benchmark and
their related CVE identifiers to specifically map to patches found or
missing. Assessment for the presence of the required patches in an SCAP
benchmark is done using Shavlik NetChk Protect. The absence or presence
of a patch then further indicates that CVE-identified vulnerabilities exist or
do not exist on the scanned machine. The patch information also uses the
vendor identifiers to the patch to match specific patches to those defined in
the associated OVAL file. Patch scan information is used by the NetChk
SCAP Processor to assess the presence or absence of software
flaws/vulnerabilities. CVE items associated with these patches are called
out in the reporting results in addition to the presence or absence of a patch.

Using the combination of configuration checks from Shavlik
NetChk Configure SCAP Edition and CVE/patch-related results from Shavlik NetChk
Protect, the full range of configuration requirements in an SCAP data feed
(XCCDF benchmark) can be assessed or enforced. The Shavlik NetChk SCAP
Processor then uses the reported results from the Shavlik NetChk Configure and
Shavlik NetChk Protect target scan to provide in or out of compliance results
reported against each item in the SCAP benchmark.

CCE

The CCE data specification provides a commonly understood
identifier for specific configuration items on various technology platforms
(e.g., Windows XP or Internet Explorer). The Shavlik NetChk Configure
SCAP Edition is the commercial off-the-shelf version of NetChk Configure plus a
licensable module called the NetChk SCAP Processor. The NetChk SCAP Processor
uses the SCAP benchmark CCE identifiers to specifically map to existing
compliance checks that are part of Shavlik NetChk Configure which then can
assess or enforce these items. Other CCE items included in benchmarks
required within SCAP data feeds can be assessed or remediated using one or more
¡°custom¡± checks built specific to the requirements of the individual CCE item.

Using this combination of built-in and custom checks in
Shavlik NetChk Configure, the full range of CCE items in an SCAP data feed
(XCCDF benchmark) can be assessed or enforced. The Shavlik NetChk SCAP
Processor then uses the reported results from the Shavlik NetChk Configure
target scan to provide in or out of compliance results reported against each
CCE item in the SCAP benchmark.

CPE

The CPE data specification provides a commonly understood
identifier for specific technology platforms (e.g., Windows XP or Internet
Explorer). The Shavlik NetChk SCAP Processor uses the SCAP data feed and
the included CPE identifiers to map to specific technology platforms. The
platforms and their associated CPE identifiers are specifically referenced
within the SCAP data feeds and these identifiers are then used within the
Shavlik NetChk SCAP Processor as the means to specifically identify the
platforms within assessment results and any SCAP-required reporting details.

Using the platform CPE values from within the SCAP data
feeds combined with the Shavlik NetChk Configure SCAP Edition provides the
means to assess platforms correctly and then present proper results for these
various platforms as assessed or remediated. CPE values for assessed or
remediated platforms are then included in the reporting results.
Benchmark requirements for specific assessed or remediated items can then be
associated with the target, the platform, and specific item within the reported
results.

CVSS

The CVSS (Common Vulnerability Scoring System) provides a
commonly understood open framework to determine the impact and characteristics
of vulnerabilities within information technology. Scores using this
methodology are currently only implemented and available for CVE (Common
Vulnerability Enumeration) items. The scores for these specific items can
be located at the associated location on the National Vulnerability Database
website using the naming scheme for each item such as for the vulnerability
with CVE identifier CVE-2008-1436 at
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1436. Using CVE's common
identifiers along with the scoring mechanisms for the impact of the
vulnerability provides a powerful combination for assessing risks due to the
vulnerability. Even with the CVSS-related values presented for CVE items,
other areas of impact including environmental or temporal (time-related)
scoring also can be added using the CVSS calculators discussed below.

CVSS is currently undergoing development to incorporate
scoring for CCE (Common Configuration Enumeration) items. These are
currently not available on the CVSS website, and cannot be searched or looked
up similar to the CVE database. Nonetheless, using similar scoring
characteristics to the CVE items, a user can currently compute a CVSS score for
a CCE item using one of two calculators available for this purpose at:

http://nvd.nist.gov/cvss.cfm?calculator&version=2

or a more advanced version at:

http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

The calculation requires inputs for a number of metrics tied
to three areas: base score, temporal score and environmental score. These
three areas create the final score that is associated with the
vulnerability. This is the scoring approach recommended for CVSS scores
required for use with the Shavlik product.

XCCDF

The XCCDF data specification provides the means to represent
security checklists or benchmarks in a format that is well-structured and
machine readable. Using this XML data format, the Shavlik NetChk SCAP
Processor digests an XCCDF file and creates a policy usable in Shavlik NetChk
Configure based on a benchmark within the XCCDF file. The NetChk SCAP
Processor uses the configuration identifiers found in the XCCDF benchmarks and
maps those to existing built-in compliance checks that are part of the standard
NetChk Configure product. NetChk Configure then assesses or enforces
these items. Additional items included in benchmarks and required within
the SCAP data feeds can be assessed or remediated using custom checks built to
the requirements of the individual CCE item. Generally, the built-in
checks use the XCCDF content for configuration into the policy file; the custom
checks may require configuration details contained in OVAL files associated
with the XCCDF file. Also, additional items may be included in the
benchmark related to patches. These items are typically included in an
associated OVAL file, but results are used in combination with the configuration
results to provide the complete benchmark requirements.

Using this combination of built-in and custom checks in
NetChk Configure and any additional patch/vulnerability results from NetChk
Protect that are related to the XCCDF benchmark, the full range of
configuration/vulnerability items in the XCCDF file can be assessed or
remediated. The NetChk SCAP Processor then uses the reported results from
the combined NetChk Configure and Shavlik NetChk Protect target scan to provide
in- or out-of-compliance results reported against each
configuration/vulnerability item in the SCAP benchmark. Such reported
results can then be output in the XCCDF data format.

OVAL

OVAL data is closely inter-related with the XCCDF data
specification. The XCCDF data specification represents security
checklists or benchmarks in a format that is well-structured and machine
readable. The OVAL data specification then provides the details or tests
to assess the items required within the XCCDF format. Using these two
combined XML data specifications, Shavlik NetChk SCAP Processor digests an
XCCDF file combined with the OVAL tests, allows selections of an XCCDF
benchmark and creates a policy usable within Shavlik NetChk Configure and, when
required by the benchmark, a patch list usable for scanning by Shavlik NetChk
Protect. The NetChk SCAP Processor uses the configuration identifiers
defined within the XCCDF benchmarks combined with the OVAL data as a mapping to
existing compliance checks in NetChk Configure that can assess or enforce these
items. Additional configuration items included in benchmarks and required
within the SCAP data feeds can be assessed or remediated using one or more
custom checks built built to the requirements of the individual CCE item using
the OVAL content as further guidance. Further, the NetChk SCAP Processor
uses OVAL data combined with mapping Shavlik patch data to allow assessment of
vulnerabilities or deployment of patches by NetChk Protect.

The full range of configuration items in the XCCDF file can
be assessed or remediated using the combination of built-in and custom checks
scanned by NetChk Configure as defined by the XCCDF benchmark and as configured
based on OVAL content and also using vulnerability/patch-related results from
NetChk Protect. The NetChk SCAP Processor then uses the reported results
from the NetChk Configure target scan, and if needed, patch assessment results
from the NetChk Protect scan, to provide in- or out- of compliance results
reported against each configuration item in the SCAP benchmark.

SCAP

The SCAP standard defines the use of a number of
standardized data formats that together provide information technology and
configuration control assessment capabilities on target platforms. The
standard uses these data formats together as a system that allows for
standardized benchmarks or checklists of security configuration
requirements. First, the XCCDF data specification represents security
checklists or benchmarks in a format that is well-structured and machine
readable. The OVAL data specification provides details or tests to assess
the items required within the XCCDF format. Using these two XML data
formats, the Shavlik NetChk SCAP Processor digests an XCCDF file and creates a
policy usable within the Shavlik NetChk Configure product and, when required by
the benchmark, a patch list usable for scanning by Shavlik NetChk Protect that
are based on a selected benchmark from within the XCCDF file.

At a more detailed level, the NetChk SCAP Processor uses the
CCE identifiers found in the XCCDF benchmarks as a mapping to existing
compliance checks within NetChk Configure which can be assessed or
enforced. In addition, other CCE items included in benchmarks required
within the SCAP data feeds can be assessed or remediated using one or more
custom checks built to the requirements of the individual CCE item.
Generally, the built-in checks use the XCCDF content for configuration into the
policy file and the OVAL file provides additional details needed for these
checks; the custom checks typically require further configuration details
needed in OVAL files associated with the XCCDF file. The NetChk SCAP
Processor also uses the OVAL patch data, combined with a Shavlik patch mapping,
associated with the XCCDF benchmarks, when defined, to construct a patch list for
use by NetChk Protect.

Using this combination of built-in and custom checks in
NetChk Configure, the full range of CCE items in an SCAP data feed (XCCDF
benchmark) can be assessed or remediated on a target scan. Further, when
defined, NetChk Protect provides scanning for OVAL-defined
vulnerabilities/patches that can be assessed or remediated on a target
scan. The NetChk SCAP Processor then uses the reported results from the
NetChk Configure and NetChk Protect target scan to provide in- or out- of compliance
results reported against each CCE item or OVAL vulnerability/patch item
associated with the SCAP benchmark. CVE results are available within the
NetChk SCAP Processor for patch assessment. CVSS, the risk scoring
system, is available with the use of the web-based calculator to determine
scoring of CCE or CVE items. The final SCAP data standard is the CPE
format or platform-based, which provides a common naming scheme used in the
output results to identify specific technology platforms assessed within the
entire SCAP process against the XCCDF benchmark.